{ "name": "A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.", "slug": "a-security-alert-regarding-apt-c-28-scarcruft-using-miradorshell-to-launch-a-cyberattack", "description": "A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.", "published": "2026-02-09T09:18:26+00:00", "created_at": "2026-02-09T09:18:26+00:00", "modified_at": "2026-02-09T10:44:34+00:00", "created_at_opencti": "2026-02-09T09:18:26+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-02-09", "backdoor", "miradorshell", "phishing", "scarcruft" ], "related_entities": { "observables": [ { "id": "", "name": "65.21.182.178" }, { "id": "", "name": "http://techcross-wne.com/include/plugin/snoopy/board/register.php" }, { "id": "", "name": "http://techcross-wne.com/include/plugin/snoopy/board/libs/mrd.dat" }, { "id": "", "name": "47cc83176cd36abf0b5624f33bcf044b8f880cf521689981f891e52fbb3dbfa3" } ], "malware": [ { "id": "legacy:malware:27d13ba6ba5b4072", "name": "MiradorShell", "slug": "miradorshell" } ], "intrusion_sets": [ { "id": "bd64526a-ef5c-4493-b69f-fd21607a5b40", "name": "APT-C-28 (ScarCruft)", "slug": "apt-c-28-scarcruft" } ], "attack_patterns": [ { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "Finance" }, { "id": "", "name": "Technology" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/6989b4731b7121e79a9ff3ef", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507801&idx=1&sn=e169339f921fd11a2fef8dfe068e616c&chksm=f9c1ec50ceb66546d829de5d705bad2606ff83a30f6ced192c904506ceec666b8cef37822fab" ] }